Master Network Threat Analysis: Uncover Hidden Malware & C2 Traffic Like a Pro + Video

Listen to this Post

Featured Image

Introduction:

Network traffic analysis is the frontline of modern cybersecurity, enabling defenders to detect stealthy command-and-control (C2) communication that bypasses traditional defenses. A comprehensive training approach, such as the one offered by Blackstorm Security, provides SOC analysts and incident responders with the skills to dissect malicious PCAPs, intercept encrypted traffic, and identify advanced persistent threats hiding within network noise.

Learning Objectives:

  • Analyze malicious PCAPs to extract indicators of compromise (IOCs) and identify C2 beacons.
  • Intercept and decrypt encrypted network communications using MITM techniques.
  • Deploy open-source frameworks like Zeek and RITA for automated C2 detection.

You Should Know:

  1. Hands-On Malicious PCAP Analysis: From Triage to IOC Extraction

Analyzing a malicious packet capture (PCAP) requires a systematic approach to identify the infected host, the C2 server, and the data exfiltrated. This step-by-step guide uses a real-world scenario involving a Pupy RAT infection and abuses of NetSupport Manager.

Step-by-Step Guide:

Step 1: Set Up an Isolated Analysis Environment

Before opening any PCAP, ensure your virtual machine’s network adapter is disabled to prevent accidental callbacks to live C2 infrastructure.

 On Linux (Debian-based), disable network interfaces
sudo ifconfig eth0 down
 Or use NetworkManager to turn off all connections
nmcli networking off

Step 2: Initial Triage in Wireshark

Load the PCAP into Wireshark and apply filters to remove noise and surface suspicious web requests and TLS handshakes.

 Display filter in Wireshark
(http.request or tls.handshake.type eq 1) and !(ssdp)

This filter reveals POST requests to typosquatted domains (e.g., event-time-microsoft[.]org) and TLS handshakes to known malicious domains. Look for randomized URI paths and unusual User-Agent strings (e.g., WindowsPowerShell/5.1...), which indicate script-based malware beacons.

Step 3: Identify the Compromised Host

From the filtered traffic, extract the internal IP and hostname of the infected machine. In the Pupy RAT example, the compromised host was DESKTOP-5AVE44C.massfriction[.]com.

Step 4: Pivot to OSINT for Threat Intelligence

Export suspicious domains (e.g., hillcoweb[.]com) and query threat intelligence platforms.
– Use `nslookup` or `dig` to resolve domains and check for malicious IPs.
– Query AbuseIPDB or ThreatFox via CLI or browser.

 Check domain reputation using threatfox-cli (if installed)
threatfox-cli query domain hillcoweb[.]com

Step 5: Extract Artifacts with NetworkMiner

NetworkMiner passively reconstructs sessions and extracts files, credentials, and hosts from the PCAP.
– Load the PCAP into NetworkMiner (File → Open Capture).
– Review the “Hosts” tab to see outbound connections.
– Check the “Credentials” tab for extracted Kerberos hashes or plaintext passwords. In the Pupy RAT case, NetworkMiner extracted Kerberos hashes for user ‘rgaines’.

Step 6: Deep Dive with TShark and Command-Line Analysis
For large PCAPs, use TShark and tcpdump to quickly extract relevant data.

 Extract all HTTP requests and responses
tshark -r malicious.pcap -Y "http.request or http.response" -T fields -e http.host -e http.request.uri -e http.response.code

Extract all TLS SNI (Server Name Indication) fields
tshark -r malicious.pcap -Y "tls.handshake.extensions_server_name" -T fields -e tls.handshake.extensions_server_name

Count unique source IPs that initiated TCP connections
tshark -r malicious.pcap -Y "tcp.flags.syn==1 and tcp.flags.ack==0" -T fields -e ip.src | sort | uniq -c

2. Detecting C2 Communications Using Zeek and RITA

Modern C2 traffic often uses encrypted channels (TLS) or disguises itself as normal web traffic. The combination of Zeek (formerly Bro) for network metadata extraction and RITA (Real Intelligence Threat Analytics) for behavioral analysis provides a powerful, open-source solution for hunting C2 beacons and DNS tunneling.

What the Tools Do:

  • Zeek parses live or recorded traffic into structured logs (conn.log, dns.log, http.log, ssl.log) without decrypting payloads.
  • RITA analyzes Zeek logs to detect beaconing (periodic outbound connections), long connections, and DNS tunneling based on entropy and timing.

Step-by-Step Guide:

Step 1: Install Zeek

 On Ubuntu 22.04/24.04
sudo apt update && sudo apt install zeek -y
 Or use the official Docker container
sudo wget -O /usr/local/bin/zeek https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek
sudo chmod +x /usr/local/bin/zeek
zeek start

Step 2: Capture or Import PCAP into Zeek

Process a PCAP file to generate Zeek logs.

zeek -Cr malicious.pcap
 This creates multiple log files in the current directory (conn.log, dns.log, etc.)

Step 3: Install RITA

 Download the latest RITA installer
wget https://github.com/activecm/rita/releases/download/v4.11.0/rita-v4.11.0-installer.tar.gz
tar -xf rita-v4.11.0-installer.tar.gz
cd rita-v4.11.0-installer
sudo ./install_rita.sh localhost

Step 4: Import Zeek Logs into RITA

rita import --database=malware_analysis --logs=/path/to/zeek/logs

Step 5: Analyze for Beaconing and C2 Patterns

 Show beaconing scores for all connections
rita show-beacons malware_analysis

Focus on entries with high beacon scores, regular intervals (e.g., 30 seconds), and small packet sizes. The `show-long-connections` command can reveal persistent C2 channels.

rita show-long-connections malware_analysis

Step 6: Export HTML Report

RITA can generate an HTML report for easy sharing and visualization.

rita html-report malware_analysis --output-dir /var/www/html/rita_report

This report includes timelines of beaconing activity, DNS tunneling detections, and threat intel matches.

  1. Intercepting Secure Communications: Building a Transparent MITM Router

Understanding how to intercept and decrypt “secure” TLS traffic is crucial for blue teams to simulate attacks and test network defenses. This technique, while often associated with offensive security, demonstrates why certificate validation is essential and how attackers can bypass encryption.

What This Does:

A transparent intercepting router manipulates network traffic using ARP spoofing or DHCP configuration to redirect traffic through an interception proxy (like mitmproxy), which performs SSL/TLS termination and re-encryption. IoT devices that fail to validate server certificates are particularly vulnerable.

Step-by-Step Guide:

Step 1: Set Up a Linux Machine as a Transparent Router
Use a Raspberry Pi or any Linux computer with two network interfaces (or one interface with a Wi-Fi adapter in AP mode). Install required packages for creating an access point。

sudo apt update && sudo apt install hostapd dnsmasq iptables mitmproxy -y

Step 2: Configure HostAPD for Wi-Fi Access Point

Create `/etc/hostapd/hostapd.conf` with the following:

interface=wlan0
ssid=EvilTwinAP
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0

Step 3: Configure dnsmasq for DHCP and DNS

Edit `/etc/dnsmasq.conf`:

interface=wlan0
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
dhcp-option=3,192.168.4.1  Gateway is the intercepting host
dhcp-option=6,192.168.4.1  DNS server is the intercepting host

Step 4: Enable IP Forwarding and Set Up iptables Rules

 Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
 Redirect all HTTP and HTTPS traffic to mitmproxy ports
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080

Step 5: Run mitmproxy in Transparent Mode

mitmproxy --mode transparent --showhost

Connecting a client device to the “EvilTwinAP” will now route all HTTP and HTTPS traffic through mitmproxy. The proxy will display all decrypted requests and responses, including any cleartext credentials sent within the TLS tunnel.

  1. Cloud Hardening: Detecting Malicious Infrastructure via Passive DNS

Many C2 servers leverage cloud providers like AWS, Azure, or DigitalOcean to avoid reputation blacklists. Blue teams can detect these by correlating passive DNS data and analyzing SSL certificate fingerprints.

Step-by-Step Guide:

Step 1: Extract SSL Certificates from PCAP

Use tshark to export all SSL certificates captured in a PCAP file.

 Export all SSL certificates to a directory
tshark -r traffic.pcap --export-tls-session-keys keys.txt -T fields -e tls.handshake.certificate

Step 2: Analyze Certificate Subject and Issuer

 Extract issuer and subject details from certificates
openssl x509 -in certificate.crt -text -noout | grep -E "Issuer:|Subject:"

Look for certificates that are self-signed, have unusually short lifespans (e.g., less than 30 days), or contain mismatched CN/SAN fields.

Step 3: Cross-Reference with Cloud Provider Subnets

Use `whois` to check if the IP address belongs to a known cloud range.

whois 45.131.214.85 | grep -E "OrgName|NetName|CIDR"

If the IP belongs to a cloud provider, check for historical reports on threat intel platforms.

5. Windows-Based Network Forensics: Using PowerShell and Sysmon

While Wireshark is cross-platform, Windows environments require additional telemetry for host-based network correlation. Sysmon (System Monitor) logs network connections, process creation, and DNS queries, providing context often missing in raw PCAPs.

Step-by-Step Guide:

Step 1: Install and Configure Sysmon

Download Sysmon from Microsoft and install with a comprehensive configuration (e.g., SwiftOnSecurity’s config).

 Download Sysmon and config
Invoke-WebRequest -Uri https://live.sysinternals.com/sysmon64.exe -OutFile sysmon64.exe
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile sysmonconfig.xml
 Install Sysmon
.\sysmon64.exe -accepteula -i .\sysmonconfig.xml

Step 2: Query Network Connections from Event Logs

Use PowerShell to extract network connection events (Event ID 3) from the Sysmon log.

 Get all network connections from the last hour
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=3; StartTime=(Get-Date).AddHours(-1)} | 
ForEach-Object {
$xml = [bash]$<em>.ToXml()
$data = $xml.Event.EventData.Data
$sourceIP = ($data | Where-Object {$</em>.Name -eq 'SourceIp'}).'text'
$destIP = ($data | Where-Object {$<em>.Name -eq 'DestinationIp'}).'text'
$destPort = ($data | Where-Object {$</em>.Name -eq 'DestinationPort'}).'text'
Write-Output "$sourceIP -> $destIP : $destPort"
}

Step 3: Correlate with PCAP Data

Cross-reference the process ID (PID) associated with suspicious outbound connections to determine which executable initiated the traffic. This helps distinguish malware from legitimate applications.

Step 4: Monitor DNS Queries for Data Exfiltration

Sysmon Event ID 22 logs DNS queries. High entropy in subdomain lengths (e.g., long.random.subdomain.attack.com) is a classic sign of DNS tunneling.

 Show DNS queries with suspiciously long subdomains
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object { $<em>.Id -eq 22 } | 
ForEach-Object {
$xml = [bash]$</em>.ToXml()
$query = ($xml.Event.EventData.Data | Where-Object {$_.Name -eq 'QueryName'}).'text'
if ($query.Length -gt 50) { Write-Output "Suspicious DNS: $query" }
}

What Undercode Say:

  • Passive DNS and SSL fingerprinting directly expose malicious infrastructure hiding behind encryption and cloud providers。
  • The combination of Zeek, RITA, and Sysmon provides a complete, open-source hunting stack that rivals expensive commercial solutions。
  • Transparent MITM attacks remain highly effective against IoT devices, revealing the critical importance of certificate validation even in low-cost products。
  • NetworkMiner’s passive artifact extraction often recovers credentials and files that memory analysis or host forensics might miss。
  • Adapting these techniques to cloud-native environments requires integrating similar telemetry from VPC flow logs, cloud load balancers, and API gateways。

Prediction:

As C2 frameworks increasingly adopt encrypted, legitimate-looking protocols (e.g., HTTPS over common CDNs), signature-based detection will become obsolete. The future of network threat analysis will rely on behavioral and ML-based anomaly detection, integrated with SIEM and SOAR platforms to enable real-time automated response. Investigative skills such as packet analysis and custom I/O pipeline scripting will remain essential for validating automated alerts and hunting novel threats.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Aleborges Dfir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky